How secure is your password?

Anyone who has any kind of electronic account has a password.  But what is that password protecting?  For most people they have passwords protecting their private and financial information.  If you work on a computer at all for your job you hopefully have a password to access your computer.  That password is probably protecting much more than just your information, but also your employers information as well.

Just how secure are your passwords?  Strangely most people still do not take their password security seriously.  Once you have your accounts accessed, money stolen or just your reputation tarnished because someone used one of your accounts to do bad stuff, you will take password security much more seriously.

We all have heard of those that put their passwords on their monitors or on the bottom of the keyboard.  Hopefully that is not you!  There are some simple ways to keep passwords very secure and easy to remember.

Before I get into some quick ways to make your password secure I want to talk about the 2 methods that are used together to crack your password.

Most modern password crackers use a dictionary and the brute force method.  The dictionary has the most common words used in passwords and will use the dictionary to generate many variations of the words in the dictionary.  They also do some of the most common modifications to the dictionary words.

For example, lets say your password is cutePuppy1.  The password crackers probably already have the words cute and puppy in them.  In the process they will try every word and word combination and will try just about every variation of cutepuppy, for example: Cutepuppy, CutePuppy, cut3Puppy, Cut3Puppy, etc.  In addition they will add modifiers like 1, 2 to the end of the combinations.

Seems like there would be millions upon millions of combinations right?  Yes there are but you have to remember that a computer can do many millions of checks per second.  And with a good dictionary the process takes no time at all.

If the dictionary cannot get a match then comes the brute force attack where it starts with a-z then aa-zz then aaa-zzz and so on until it finds a match.  So how long would it take to break the cutepuppy password?  About 56 seconds.  By changing the P in Puppy to capital it takes 7.8 hours and the 1 on the end takes it to 3 1/2 months.

So now that you understand the methods to break a password, how can you make your password more secure?  First, use no words that are in a dictionary.  I am sure you have always heard not to use your kids names, birthday, your address, etc.  Let's expand that to any word in the dictionary.

I understand that makes it hard to remember passwords because the password looks like rubbish.  Here are some techniques you can use to make them easy to remember:

  • Use acronyms, for example, I like the song from The Police called "Every Little Thing She Does Is Magic".  So the base password would be "eltsdim".  Add some modifiers to that like "!3ltsdiM!".  Just remember the longer the better.
  • Use a Pattern.  For example, a simple pattern would be 1qaz2wsx#EDC which is the first 3 columns on the keyboard with the 3rd column being in shift mode.  You could fo every other column, start at the 3rd column, etc.  Mix it up.  Just try to keep a good mix of upper and lowecase, numbers and special characters.  My first pattern example would take 1.7 thousand centuries to bruce force.
  • Use a password mangement program like LastPass or 1Password.  These tools not only keep track of your passwords for you, they will also generate long and secure passwords.

 Now that I have given you some ways to make an easy to remember and secure password, let me show you how you can check how good your password really is.  First, remember no dictionary words.  Go to https://www.grc.com/haystack.htm and put in your new password.  Look at the "Offline Fast Attack Scenerio" for the amount of time it would take the average brute force attack.

I mentioned 2 password management programs above, here are the links to them as well:

https://lastpass.com/
https://agilebits.com/onepassword

I have used both and both are great.  I am currently using lastpass with a yubico as an additional level of protection.

Please comment and ask questions if you have any, I love the feedback.